What MFA options does easyAML support?
Three options in order of preference: Passkey (phishing-resistant, biometric-based), Authenticator app (Google, Authy, Microsoft), and SMS one-time code.
Overview
easyAML supports three MFA options, in order of preference: passkey, authenticator app (Google Authenticator, Authy, Microsoft Authenticator) and SMS one-time code. Email-based MFA is intentionally not offered - the email account is the password-reset channel, so using it as the second factor would mean an attacker with email access had both factors and the MFA layer would add no security.
Comparing the methods
- Passkey - uses Face ID, Touch ID or PIN. Phishing-resistant, fastest day-to-day, no codes to type. Requires a supported modern device.
- Authenticator app - works offline, no telco dependency, works internationally. Requires the user to install an app.
- SMS - familiar, no setup. Slowest, vulnerable to SIM-swap attacks, and unreliable internationally; codes expire after 2 minutes.
Choosing per user
The CO sets the required MFA method per user in Account Settings → Users → edit user → MFA. Passkey is the recommended default for most office staff; SMS is fine for local Australian staff who prefer it.
International staff and offshore mobiles
Staff who can't reliably receive Australian SMS - offshore partners, VAs in the Philippines or India, contractors who travel - should be switched to authenticator app or passkey, which work regardless of phone-number nationality and avoid the cost and unreliability of international SMS. To switch: open the user in the admin console, select "Authenticator App" or "Passkey" as the required method, and the user is prompted on next login to set it up (scan the QR code, or register a passkey). SMS MFA is then disabled for that user automatically.